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Abstract 



In this paper we consider a quantum computational variant of nondeterminism based on the 

notion of a quantum proof, which is a quantum state that plays a role similar to a certificate in 

an NP-type proof. Specifically, we consider quantum proofs for properties of black-box groups, 

\mJ ' which are finite groups whose elements are encoded as strings of a given length and whose group 

operations are performed by a group oracle. We prove that for an arbitrary group oracle there 

exist succinct (polynomial- length) quantum proofs for the Group Non-Membership problem that 

can be checked with small error in polynomial time on a quantum computer. Classically this is 

impossible — it is proved that there exists a group oracle relative to which this problem does not 

have succinct proofs that can be checked classically with bounded error in polynomial time (i.e., 

the problem is not in MA relative to the group oracle constructed). By considering a certain 

p^ , subproblem of the Group Non-Membership problem we obtain a simple proof that there exists 

Q\ ' an oracle relative to which BQP is not contained in MA. Finally, we show that quantum proofs 

for non-membership and classical proofs for various other group properties can be combined 

to yield succinct quantum proofs for other group properties not having succinct proofs in the 

classical setting, such as verifying that a number divides the order of a group and verifying that 

Y\ a group is not a simple group. 

>'■ 

k> : 1 Introduction 

H , 

There are several equivalent ways to view nondeterminism in the classical setting that apparently 

yield inequivalent notions in the quantum setting. Two such ways are as follows. 

First, we may view a nondeterministic process as a probabilistic process, and consider whether 
the resulting process has zero or nonzero probability of success. Along these lines, Adleman, 
DeMarrais, and Huang [1] and Fenner, Green, Homer, and Pruim [18] have defined QNP to be the 
class of languages L for which there exist polynomial time quantum Turing machines that accept 
with nonzero probability if and only if the input is in L. This class coincides with the counting 
class co-C= P [18, 19]. This notion of quantum nondeterminism has also been investigated recently 
in the context of communication complexity and query complexity by de Wolf [28] . 

Second, we way view nondeterminism as it relates to verification. A common way to view NP 
is that NP is the class of languages consisting of those strings for which there exist polynomial- 
length proofs of membership that can be checked in polynomial time, and one may extend this 
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viewpoint to the quantum setting in several ways. For instance, we may consider quantum proofs 
(or quantum certificates), which are quantum states that certify membership of strings in given 
languages, or we may consider ordinary (classical) certificates that are checked by polynomial-time 
quantum computers. In each case we may consider various constraints on the error allowed by the 
quantum checking procedure. 

In this paper, we investigate the second way of viewing nondeterminism in the quantum setting. 
We will restrict our attention to the case where certificates may be quantum and the polynomial- 
time quantum verification procedure may operate with (two-sided) bounded error. Thus, this 
version of "quantum NP" represents the quantum generalization of the class MA (based on the 
Arthur-Merlin games of Babai [4, 9]), and for this reason we will call the resulting class QMA. 
This notion of quantum nondeterminism was apparently first discussed by Knill [24] , and was later 
studied by Kitaev [22] (who instead referred to the class we call QMA as BQNP). Kitaev proved 
QMA C P# , and we claim that the technique based on GapP functions used by Fortnow and 
Rogers [19] to prove BQP C PP may be extended to prove QMA C PP (this result was obtained 
jointly by A. Kitaev and the present author). One may also view QMA as a class that results 
by considering (two-sided error) one-message quantum interactive proof systems [23, 27], in which 
there is really no interaction since only one message is sent. 

Our main focus is on the power of QMA in the context of black-box groups. Of particular 
interest to us is the Group Non-Membership problem, which may be stated as follows: 

Group Non-Membership (GNM) 

Instance: Group elements gi, ■ ■ ■ ,gk and h in some finite group G. 

Question: Is h outside the group generated by gi,... ,gk (i-e., is h G" (gi, . . . ,<?&))? 

The statement of this problem mentions neither the particular representation of group elements 
used nor the underlying group or groups. While it is interesting to consider this problem in the 
case that the group elements are represented in some natural way (e.g., by invertible matrices 
over a finite field), we will consider the case that group elements are uniquely represented in some 
arbitrary way by strings, and that we have at our disposal some oracle B (known as a group oracle) 
that performs group operations for us (with each operation requiring a single step). In this setting, 
we assume nothing can be learned about group elements by examining their representative strings 
except whether or not two elements are distinct. For each n G N there will correspond a group 
consisting of some subset of the length n strings; this group will be denoted B n and is called a 
black-box group. Black-box groups were first considered by Babai and Szemeredi [10], and have 
since been studied in several works [3, 5, 6, 7, 8]. Further details regarding black-box groups will 
be discussed in the next section. 

For a given group oracle B we let GNM(2?) be the language consisting of all positive instances 
of the Group Non- Membership problem relative to B. By the Reachability Theorem of Babai and 
Szemeredi [10] it follows that GNM(2?) E co-NP for any group oracle B. Furthermore, Babai 
[5, 6] proved that GNM(2?) £ AM for any group oracle B, while there exists choices for the group 
oracle B such that GNM(2?) BPP B and GNM(2?) NP B . In Section 4 we extend this result 
slightly by constructing a group oracle B such that GNM(2?) MA . 

In contrast to the fact that GNM (2?) MA for some choices of the group oracle B, we 
prove that GNM (2?) G QMA for any group oracle B. Thus, for any black-box group G and 
elements h,g\ . . . ,gk £ G, there exists a polynomial-length quantum proof that h is not in the 
group generated by gi, . . . ,gk- This fact is proved in Section 3. Naturally, a similar result holds 



in case group elements are represented in any way that allows the group oracle to be replaced 
by a polynomial-time computation, such as matrix groups over a finite field. For such groups it 
is not known if GNM is in MA, although Babai [6] conjectures that in fact GNM 6 NPPlco-NP 
in this restricted case. This conjecture is based on presently unproved conjectures relating to 
the classification of finite simple groups. A polynomial-time algorithm is known for permutation 
groups [26]. 

In certain limited cases it is possible to solve GNM in quantum polynomial time without the 
help of a certificate, such as when k = 1 in the statement of the GNM problem. The oracle B we 
construct in Section 4 in fact puts GNM(2?) outside of MA for this special case, and therefore 
gives an oracle relative to which BQP % MA. Bernstein and Vazirani [13] claimed a stronger result 
(specifically that there exists an oracle relative to which EQP ^ MA), but the proof has not yet 
appeared. 

Quantum proofs for group non-membership may be used to devise quantum proofs for other 
group problems. Several such problems, include the problem of testing whether a given number 
divides the order of a group, testing that one group is a proper subgroup of another, and testing 
that a given group is not a simple group, are mentioned in Section 5. 

2 Definitions 

In this section we define the class QMA and discuss black-box groups in the context of quantum 
circuits. We assume the reader is familiar with the quantum circuit model, and with basic notions 
from complexity theory and group theory. For a detailed discussion of quantum circuits see Kitaev 
[21]. (Readers not familiar with quantum computation may find the more introductory papers of 
Berthiaume [15] and Cleve [17] helpful as well.) See, for example, Balcazar, Diaz, and Gabarro 
[11, 12] for background on complexity theory and, for example, Isaacs [20] for background on group 
theory. 

Let us begin by making clear our assumptions regarding uniformity of quantum circuits. A 
family {Q x } of quantum circuits is said to be polynomial-time uniformly generated if there exists a 
deterministic procedure that, on input x, outputs a description of Q x and runs in time polynomial 
in \x\. (For simplicity we assume all input strings are over the alphabet £ = {0, 1}.) It is assumed 
that the circuits in such a family are composed of gates in some reasonable, universal, finite set of 
quantum gates (for instance, the standard basis discussed by Kitaev [21] or the Shor basis discussed 
by Boykin, et. al. [16]). In addition the circuits may include oracle gates as discussed below. 
Furthermore, it is assumed that the size of any circuit in such a family is not more than the length 
of that circuit's description (i.e., no compact descriptions of large circuits are allowed), so that Q x 
must have size polynomial in \x\. To make matters simple when dealing with oracle gates below, 
we define the size of a quantum circuit to be the number of gates in the circuit plus the number of 
qubits upon which the circuit acts. 

When we describe quantum circuits, we do so in a high-level manner that may suggest that 
measurements are taking place at various times during the circuit's computation; such measure- 
ments, however, do not occur and are assumed to be simulated in the sense described by Aharonov, 
Kitaev, and Nisan [2]. 

For each circuit Q x , some number of the qubits upon which Q x acts are specified as input 
qubits, and all other qubits are ancilla qubits. The input qubits are assumed to be initialized in 
some specified input state \ip), while all ancilla qubits are initialized to the |0) state. One of the 
qubits is also specified as the output qubit and is assumed to be observed after the circuit has been 



applied. The probability that Q x accepts \ip) is defined to be the probability that an observation 
of the output qubit (in the {|0), |1)} basis) yields 1, given that the input qubits are initially set 
to |V). 

We now define the class QMA as follows. 

Definition 1 A language A C S* is in QMA if there exists a polynomial-time uniformly gen- 
erated family of quantum circuits {Q x }xeY,* such that (i) if x £ A then there exists a quantum 
state \tp) such that Pr[Q x accepts |^)] > 2/3, and (ii) if x A then for all quantum states \ip), 
Pr[Q x accepts \ip)} < 1/3. 

Note that the circuit Q x does not take x as an input, but rather the procedure that produces the 
description of Q x takes x as input — the input \ip) to a given circuit Q x corresponds to a quantum 
certificate that purportedly proves the property that x £ A. Information regarding x may of course 
be "hard-coded" into Q x , however, which eliminates the need for inputting x. It should be noted 
that the class QMA would not change if the definition was such that there were just one circuit for 
each input length (rather than each input), with each circuit taking \tp) and x as input (as would 
be the case for the more standard notion of circuit uniformity). 

Similar to classical bounded error classes, the bounds of 1/3 and 2/3 in the definition of 
QMA may be replaced by 2~ p " x <> and 1 — 2~ p (' x '>, respectively, for any polynomial p. In the 
other direction, the bounds of 1/3 and 2/3 may be replaced by functions b(\x\) and a(|x|), re- 
spectively, for a, b : Z + — ► [0, 1] such that (i) a and b are computable in polynomial time, and 
(ii) a(|x|) — b(\x\) > l/p(|x|) for some polynomial p. In both cases, this follows from the fact that 
for any polynomial q we may run </(|a;|) independent copies of a given verification procedure on 
a "compound certificate" consisting of (/(|x|) certificates for the independent copies, and make a 
decision to accept or reject depending on the proportion of the individual copies that accept appro- 
priately. A simple analysis reveals that entanglement among the individual certificates can yield 
no increase in the probability of acceptance as compared to the situation in which the certificates 
are not entangled, and that the probability of error is bounded by the tail of a binomial series as 
expected. 

Next we will discuss black-box groups. Here, we will consider a variation on black-box groups 
that is appropriate for the quantum circuit model. A group oracle B is a family of bijections {B n } 
with each member having the form B n : J] 2n + 2 — ► £ 2n + 2 and satisfying constraints to be discussed 
shortly. We interpret the input and output of each B n as consisting of four parts: a control bit, an 
error bit, and two n-bit strings representing group elements. This situation is pictured in Figure 1. 
Associated with each B n is a group denoted G(B n ) whose elements form some subset of T, n and 
whose group structure is determined by the function B n . If x,y £ G(B n ) then yx = z for the 
unique value of z that satisfies B(0,b,x,y) = (0,b,x,z) for each b £ S. Similarly, if x,y € G(B n ) 
then yx -1 = z for the unique value of z that satisfies B(l, b, x, y) = (1, b, x, z). The first input bit 
(the control bit) thus determines whether y is multiplied (on the right) by x or by x~ l . Whenever 
we have x G{B n ) or y G(B n ), then it must be the case that B(c, b, x, y) = (c, ->b, x, y) for each 
6, c £ S, i.e., the error bit b is negated to indicate that the inputs were not valid group elements. 
Naturally, the constraint that must be obeyed by each B n in order for B = {B n } to be considered a 
group oracle is that there must exist a family of underlying groups {G n } along with encodings {f n } 
(each f n : G n — ► S ra one-to-one and satisfying f n (G n ) = G(B n )) that yields the above structure. 
Each group G(B n ), and more generally any subgroup of G(B n ) given by a list of generators, is 
known as a black-box group. 

For a given group oracle B each B n is invertible, and may therefore be viewed as a (2n+2)-qubit 
quantum gate as suggested by Figure 1. When we say that a polynomial-time uniformly generated 
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Figure 1: Reversible gate for a black-box group 

family of quantum circuits has access to group oracle B, we mean that the circuits in the family 
may, in addition to the standard gates mentioned previously, be composed of any of the gates in 
the collection {B n }. Note that any quantum circuit containing a B n gate must have size il(n). 



3 Verification of non-membership 

In this section we prove that the Group Non- Membership problem is in QMA for an arbitrary group 
oracle B. Before giving the technical proof, we will discuss informally the basic idea of the proof. 
Suppose group elements g±, ■ ■ ■ ,gk and h are given, and let us write H = (gi, . . . ,<?&). Consider 
the state \H\~ 1 ' 2 J2 q eH \d)' an( ^ assume that this state is contained in a quantum register R. In 
general, given any finite set A we will let \A) denote the state j^)" 1 ' 2 ^2 ae ^ \a), so that we may say 
that R is in state \H). In addition let B be a register consisting of a single qubit, and suppose B 
is initialized to state (|0) + |l))/v2. Assuming we have a gate that performs group operations as 
discussed in the previous section, we may built a quantum circuit acting on R and B that effectively 
acts as a controlled-multiply-by-/i operation on R, where B is the control. If this operation is 
performed, we may express the resulting state of the pair (B,R) as (\0}\H) + \\)\Hh))/\/2. Now 
perform a Hadamard transform on B to yield the state 

l -\Q,){\H) + \Hh)) + \\l)(\H)-\Hh)). 

At this point, observing B in the {|0), |1)} basis yields 1 with probability p = \\(\H) — \Hh))/2\\ 2 . 
In case h £ H we have \H) = \Hh), and so p = 0; in case h H we have that \H) and \Hh) are 
orthogonal, and sop = 1/2. Thus, given several copies of the state \H) one may determine with 
very high probability whether or not h £ H. 

Unfortunately, the state \H) may be difficult to construct in some cases, but it may be given 
as a quantum certificate. Naturally we may not assume that a given certificate \tp) coincides with 
\H), so this must be verified before the above test is performed. In fact, it is not necessary to 
check that \tp) = \H), but only that \ip) is invariant under right multiplication by elements of H. 
Our technique to do this is as follows. Consider a (classical) randomized procedure for generating 
elements of H uniformly (for now we assume this is possible without error — we will take errors into 
account in the proof below). We may modify such a probabilistic process to make it quantum by 
simulating the act of choosing any random number in some given range {0, ... , N — 1} by using a 



quantum transformation Qn satisfying Qn\0) = N^ 1 ' 2 X^a=o l a )' anc ^ simulating the entire process 
reversibly. (To do this, assume all random choices are made first, and that the remaining part of 
the process is deterministic and hence can be simulated reversibly.) Let F denote the resulting 
quantum transformation. It will not be the case that F produces \H), but rather we will have 



F : \°) ^ ~~fvw\ Y^ 1^1 Sarbage(g)) 



for | garbage (g)) denoting some arbitrary unit vector representing whatever is left over from this 
process (for instance, copies of the simulated random numbers yielding the random choice of g in 
superposition). Now, to check that the state contained in R, which purportedly contains \H), is 
invariant under right multiplication by elements of H, we do the following: (i) apply F to some 
register S that is initially in the state |0), (ii) multiply (on the right) the contents of R by the 
"random" group element contained in S, (iii) apply F* to S, and (iv) observe S. If R was invariant 
under multiplication by elements of H, then S will revert back to state |0) with certainty, while if 
not there will be some probability that the observation of S yields some other result (indicating 
that this certificate should be rejected). Under the assumption that the observation of S does yield 
0, however, the state of R will in fact be changed (by quantum magic!) to one that is invariant 
under right multiplication by elements in H. At this point, R will be suitable for the first test that 
determines whether h G H. 

Before proceeding to the formal proof, we mention the following theorem due to Babai [5] that 
will be used in the proof. The theorem essentially states that elements in a given black-box group 
can be randomly generated in such a way that the resulting distribution is very close to uniform. 

Theorem 1 (Babai) For any group oracle B there exists a randomized procedure V acting as 
follows. On input gi,...,gk £ G(B n ) and e > 0, V outputs an element of H = {g±,... , gj.) 
in time polynomial in n + log 1/e such that each g £ H is output with probability in the range 

(l/\H\-e,l/\H\+e). 

This is in fact a weaker result than the one proved by Babai, but it is sufficient for our needs. 
Now we are prepared to state and prove the main result of this section. 

Theorem 2 GNM(S) e QMA B for any group oracle B. 

Proof. As above, given any set A, we write \A) to denote the uniform superposition over elements 
of A, i.e., | A) = |^4| -1 ' 2 Yla^A \ a )- Let 3i> • • ■ >9k an d h denote input group elements of length n, 
let H = (g±, . . . ,gk), and consider the procedure described in Figure 2. 

Assume first that h H. In this case we must prove that there exists a certificate \ip) causing the 
procedure to accept with high probability. The certificate will be \H). The verification procedure 
first performs transformation Fon S, which was initialized to |0) at the start of the procedure. 
The state of the pair of registers (R, S) is now 

\ H ) 5Z a a(\a)\ garbage^))). (1) 

geH 

The contents of register R is multiplied by the group element contained in S, which has no effect 
on the state in (1) following from the fact that \H) is invariant under multiplication by any element 
g £ H. Now the inverse of transformation F is applied, which returns S to the state |0) with 
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Assume register R contains the quantum certificate, and all other registers are initialized to |0). 
Let F be a transformation such that 

F : |0> •->■ Y^ a a\9) I garbage^)), 

geH 

where \a g \ 2 £ (l/\H\ — 2~ 2n ,l/\H\ + 2~ 2n ) for each g £ H, and | garbage (5)) denotes some ar- 
bitrary unit vector that depends on g. The fact that transformation F can be performed in by 
polynomial-time uniform quantum circuits follows from Theorem 1, as described previously 

Step 1: 

Using the group oracle, check that R contains a valid element of G{B n ). Reject if this is not the 
case. 

Apply transformation F to register S. 

Using the group oracle, multiply the contents of register R by the group element contained in S. 

Apply transformation F< to S. If S does not contain 0, then reject. Otherwise proceed to step 2. 

Step 2: 

Apply Hadamard transform to an initialized register B (i.e., set register B to state (|0) + |l))/\/2). 

Using the group oracle, perform a controlled-multiply-by-/i operation on register R, where B is the 
control bit. (Specifically, this operation has the effect of multiplying the contents of register R on 
the right by h if B has value 1, and has no effect if B has value 0.) 

Perform a Hadamard transform on B, and reject if B contains 0. 

If the computation has not rejected thus far, then accept. 



Figure 2: Quantum verification procedure for Group Non-Membership. 

certainty. The probability that the verification procedure rejects in step 1 is therefore 0. Now step 
2 is performed. After preparing register B and performing the controlled-multiply-by-/i operation, 
the state of the pair (B, R) is (|0)|#) + \l)\Hh))/y2. A Hadamard transform is performed on B, 
producing the state 

l mH ) + \Hh)) + ±\l)(\H)-\Hh)). 

Under the assumption h H, we have that \H) and \Hh) are orthogonal, and consequently the 
probability of acceptance is \\(\H) — |.H7i))/2|| = 1/2. 

Now suppose h £ H and let \ip) denote the initial state of register R. In this case our goal is to 
bound the probability of acceptance. Let us write 

x&G(B n ) 



for 1 7) £ span{|a;) : x G(B n )} denoting the "invalid" portion of \ip). The verification procedure 
first checks that R contains a superposition over valid elements of G(B n ), which has the effect 
of projecting the state of R to J2 x eG(B n ) fix\x) (renormalized) in case this test does not result in 
rejection. As we are interested in bounding the overall (unconditional) probability of accepting, 
however, we need not renormalize this state. Transformation F is performed on S, and the group 
element contained in S is multiplied to the contents of R, producing state 



E 



xeG(B n )g€H 



V^ a 9 P x \xg)\g)\ garbage (5)) 



in registers (R, S). Now F' is applied to S and the verification procedure rejects if S has not been 
returned to it's initial value. Under the assumption that an observation of S reveals (which is 
necessary if the procedure accepts), the state of register R becomes 



E E 

xeG{B n )geH 



a g f3 x \xg)(0\FH\g)\g a rb ag e(g))) 



E 

xeG(B n )g£H 



E 



a,, 



2 Px\xg) 



(where again we do not renormalize in order to calculate the unconditional probability of accep- 
tance). Now step 2 is performed. After the controlled-multiply-by-/i and Hadamard operations 
have been performed, the state of the pair (B, R) will be 



510) £ ^ 

x€G(B n )geH 



^ {\a g \ 2 (3 x \xg} + \a g \ 2 (3 x \xgh)) + -|1) 



E E 

X &G{B n )geH 



(\a g \ 2 (3 x \xg) - \a g \ 2 (3 x \xgh)) . 



The probability of acceptance is therefore 



E Y,(\ a 9\ 2 P*\ x 9)-\ a g\ 2 Px\ x 9h)) • (2) 

x£G(B n )g€H 

Under the assumption that h £ H, we have that xgh and xg range over the same set as g ranges 
over H. Thus we may rewrite (2) as 



(3) 
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E EMi« 

x<=G(B n )g£H 


g \ 2 - Wgh-A 2 ) \xg) 


the triangle inequality, we see that (3) is at most 


\ E 

\geH 


{\a g \ - \a gh -i\ ) 


E ^\ x a) 

x£G(B„) 


) 



-In 



<2 



Thus we have that the verification procedure accepts with exponentially small probability. 

The definition of QMA requires that positive instances be accepted with probability at least 
2/3 and negative instances to be accepted with probability at most 1/3. Thus, we must address 
the fact that although our verification procedure accepts with exponentially small probability for 
all certificates on negative instances, the probability of acceptance is only guaranteed to be 1/2 
for positive instances. As discussed in Section 2, this may be remedied by running several copies 
of the verification procedure in parallel and deciding to accept or reject depending on the number 
of parallel executions that accept. In the present case we may achieve exponentially small proba- 
bility of error by running a polynomial number of copies of the above verification procedure on a 
compound certificate and accepting if and only if at least one of the copies accepts. ■ 



4 Oracle separations 

In this section we discuss oracle separations regarding MA, QMA, and BQP. First, we prove that 
there exists a group oracle B relative to which the Group Non- Membership problem is not contained 
in MA, and thus MA C QMA . Our proof follows the same general ideas used by Babai [5, 6] to 
prove GNM NP and GNM BPP for some group oracles. We then identify a restricted version 
of the Group Non-Membership problem, which we call the 2-Element Group Non-Membership 
problem, that in fact is contained in BQP but still lies outside of MA relative to the group oracle 
B. Thus we have an oracle separating BQP and MA. A stronger result was claimed by Bernstein 
and Vazirani [13], but their proof has not yet appeared — they claimed the existence of an oracle 
relative to which EQP is not contained in MA. 

The oracle separations we prove rely on a strong amplification property possessed by MA, which 
is that the probability of error can be made much smaller than the reciprocal of the number of 
possible certificates for each input length. With this in mind, we take the following as our definition 
of MA B : 

Definition 2 For a given group oracle B, a language A is in MA if there exists a predicate R, 
computable in polynomial time by a deterministic Turing machine with access to the group oracle 
B, and polynomials q and r, such that for every x & X* we have: 

If x € A, then there exists y £ ESIr) such that 

[zeZ r ^\R(x,y,z) = l}\ = 2 r ^\ 

If x A, then for all y £ £<?(W), 



{ze £ r ^D I R(x,y,z) = l} 



< 2 



-2qQx\) r(\x\) 



This definition also includes the fact that the error can be made one-sided without changing the 
resulting class (see, for instance, Zachos [29]) — a property that we do not know holds for QMA. 
This fact is not essential in our proof, but has the advantage of simplifying our analysis. 



Theorem 3 There exists a group oracle B for which we have GNM(S) MA . 

Proof. For each n > 4, let p(n) be a prime number satisfying 2™~ 2 < p(n) 2 < 2 n . Existence of 
such a sequence of primes follows from Bertrand's Postulate, first proved by Chebyshev (see, for 
instance, Rosser and Schoenfeld [25]). Let [p(n) 2 ] denote the set {1,... ,p(n) 2 }, and for fixed n 
identify each element of [p(n) 2 ] with its representation as an n-bit string in binary. Let J-(n) denote 

— > Z p ( n \ x 1jp( n )-, and define 

(0,1)}, 

(a, 0)for some a € {2, . . . ,p(n) — 1}}. 



to Z p ( n ) x Z p ( n ) that labels each (a, (3) £ ^ p ( n ) x ^p(n) with the n-bit string f~ 1 (a, (3). When n is 
fixed, or understood from context, we will simply write p, .Fo, Fi, etc., to mean p(n), Fo(n), Fi(n), 
etc. 



the set of one-to- 


one functions of the form / : [p{n) 2 


Fi(n) = 


{/ e Hn) 


/(!) = 


= (1,0) and /(2) 


F (n) = 


{/ e Fin) 


/(!) = 


= (1,0) and /(2) 


We have \F Q (n)| 


= (p(n)-2)|Fi(n)|. 


Associated with 



We will restrict our attention to the case where the input to the GNM problem consists of 
the pair of ro-bit strings representing labels 1 and 2 in binary for some n — we will write this pair 
as (1, 2) n in order to stress the dependence on n. Furthermore, we also restrict our attention to 
the case that the group oracle is associated with some / G T\(n) U T§{n) for each n as described 
previously. For fixed n, if the group in question is associated with / G J-±, then /(2) G - (/(l)), and 
so (1, 2) n is a positive instance of GNM. If the group is associated with / G J-~o, then /(2) G (/(l)), 
and so (1, 2) n is a negative instance of GNM. 

Below we will diagonalize over all polynomial time oracle Turing machines in order to prove the 
existence of B as in the statement of the theorem. First, let us consider an arbitrary polynomial- 
time deterministic oracle Turing machine M, and let q, r, and t be strictly increasing polynomials 
such that the following holds: for any x G £*, y G T> q (< x <\ and z G T> r (< x <\ M runs in time £(|x|) 
on input (x,y,z) and any group oracle B. (Here, x, y, and z are as in the definition of MA, i.e., 
x corresponds to the input, y is a certificate, and z is treated as a sequence of random bits.) As 
mentioned above, we are interested in the case where x = (1, 2) n for some n. Write m = \x\ for such 
a choice of x, and for simplicity assume our encoding of pairs of strings is such that 2n < m < 4n. 
At this point we will fix n sufficiently large such that 8£(4n) 2 < 2 n ' 2 (and thus t{m) 2 /p(n) < 1/4). 
Let B be an arbitrary group oracle, and for any / G T let us write Bf to denote the new group 
oracle obtained by changing the behavior of B on elements of length n to be in accordance with /, 
as described above. Finally, let M(Bf, y, z) denote 1 if M accepts (x, y, z) given oracle Bf, and let 
M(Bf,y,z) denote otherwise. We claim that the following inequality holds for every y G Yi q ( m < 
and z G £ r(m) : 



\{g£T \M(B g ,y,z) = l}\ > (p - t(mf) \{f G T x \ M(B fl y, z) = 1}| . 



(4) 



The proof of this inequality is the main technical part of the proof of Theorem 3, and so we postpone 
this part momentarily — for now assume that it is proved. 

Suppose now that for every / G T\ there exists a certificate y G T, q ^ m > such that M(Bf, y, z) = 1 
for every z G S r( - m ' (which must be the case if M is really a valid machine for solving the Group 
Non-Membership problem with respect to an arbitrary oracle). Since there are only 2 q ^ m ' possible 
certificates, we conclude that one of the certificates must work for many different oracles, i.e., there 
exists some fixed y such that for at least 2~ q ( m }\J 7 i\ choices of / G T\ we have M(Bf,y,z) = 1 for 
every z G X r ' m ). This implies 

Y, \{feFi\M(B f ,y,z) = l}\ > 2-^1^12^). 



By (4) we therefore have 

Y \{zeZ r ^\M(B g ,y,z) 



g^Fn 



= Yl \{9^^o\M(B g ,y,z) 

> {p-t{m) 2 )2- q ^\F l \2 r ^ m \ 



1}| 



Therefore, there must exist g G J-q such that 



z G 



y\r(m) 



M(B g ,y,z) = l] 



> 



(p - t(m) 2 ) 2- q ^ |^|2 r ( m ) 



l^n 



> 2 



-2q(m)r\r(m) 



10 



From this we conclude that for any polynomial time oracle Turing machine M and group oracle 
B, there exists an integer n such that by modifying B only on elements of length n it is possible 
to make M an invalid machine for the GNM problem; either there exists / G J~i{n) such that 
no certificate causes M to accept (l,2) n given group oracle Bf with certainty, or there exists 
g G J r o( n ) such that some certificate causes M to accept (l,2) n given group oracle B g with too 
high a probability 

Now it is routine to prove there exists B as in the statement of the theorem by a diagonaliza- 
tion argument. Let (M±,qi,ri), (M2,q2,i"2), • • • , be an enumeration of all triples consisting of a 
polynomial-time deterministic oracle Turing machine and a pair of strictly increasing polynomials. 
Let t±, £2, • • • be a sequence of polynomials such that Mi runs in time tj(|x|) on each input (x, y, z) 
and any group oracle B, assuming \y\ = qi(\x\) and \z\ = ri(\x\), for each i. Without loss of gener- 
ality we may assume ti + \{m) > ti(m) for all i and m. We define B using a stage construction as 
follows: 

Stage 0: 

Set B^ ' to be an arbitrarily chosen group oracle, and set no = 4. 

Stage i > 1: 

Choose rii be the smallest integer satisfying 2n« > tj_i(4ni_i) and 8ij(4nj) 2 < 2 ni > 2 , and let mi 
be the length of the encoding of the pair (1, 2) rai . 

If there exists / G J-\{ni) such that for all y G Yfl^ rni > we have 



{z G ^ r{nH) Mi{B { f l \y,z) = l} < 2 r ( m *) 



then let i?*- 4 ' = B? for any such /. Otherwise, as proved previously, there exists g 6 ^b(^i) 
and y £ S*( m ') SU ch that 



z G £ r ( m ') 
Set BW = Bg for any such g. 



M t {B^~ l \y,z) 



> 



2-2</(m,i)2»"( m i) 



Finally, let B be the group oracle that, for each i, agrees with B^ 1 ' on all queries regarding elements 
of length less than n.i + \. (This group oracle is well-defined, since all changes to the oracle on stages 
subsequent to stage i involve only elements of length at least n^+i.) It is now straightforward to 
verify that GNM(B) g" MA by the construction of B, since no triple (M^,(fo,rj) can be valid 
according to Definition 2. 

It remains to prove the inequality (4). Define an equivalence relation ~j /jZ on T x T for each 
y G Yj q ^ m > and z G Y7'^ m > as follows: / ~j /jZ (/ if and only if / and g induce identical executions of 
M for x = (1,2)„, certificate y, and random bits z (i.e., on input ((l,2) n ,y, z)). 

Let / G J 7 !, and consider the computation of M on input ((l,2) n ,y, z) given a group oracle 
specified by / on length n elements. During this computation, there will be some number k of 
queries to the oracle regarding length n elements, which we may express as 

; (5) 

U k ± V k = w k 
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(that is, the i-th query asks for U{ + V{ or m — Vi, and the answer given by the oracle is w{). Let L 
denote the set {m , v\ , w\ , . . . ,Uk,Vk,Wk} (i.e., the distinct length-n labels of group elements that 
either appear in a query or a response), and let I denote the size of L. Without loss of generality 
assume the labels 1 and 2 are in L. The above equations specify a k x I matrix A with entries in 
{ — 1,0, 1} in the following straightforward way: the columns of A are indexed by the labels in the 
set L, and for each i = 1, . . . ,k, the i-th row of A only has nonzero entries corresponding to labels 
Ui, Vi, and ioj. In case the ith query was U{ + V{ = Wi, the entries for the columns indexed by Ui, 
Vi, and Wi will be 1, 1, and — 1, respectively, and in case the ith query was Uj — v% = Wi, the entries 
will be 1, —1, and —1, respectively. 

At this point it will be convenient to view 7L V x 7L V as being the additive group of the field 
F = GF(p 2 ) in order to easily apply well-known theorems from linear algebra to our analysis. 
(Here the specific correspondence between 7L V x Z p and F is arbitrary, so long as the additive group 
structure is preserved.) Note that for any g satisfying / ~ y z 5S we must have that the values g 
assigns to the labels in L form a vector in the nullspace of A (viewing A as a matrix over F) . 

Let d be the dimension of the nullspace of A. We claim that 

\{g e ft I / ~ s> , g}\>(p-l- Q ) {p 2d ' A ~ Qp 2 "- 6 ) (p 2 ~ 01 (6) 

and 

\{g£fi\f~y, z g}\<P 2d - 4 (p 2 -i)L (7) 

This suffices to prove (4), since by (6) and (7) we determine that for all / € T\ we have 

\{g € T Q | / ~ y , z g}\ > (p - t{n) 2 ) \{g € ft \ f ~ y , z g}\ , 

and summing over those equivalence classes for which M(Bf, y, z) = 1 yields (4). 

The inequality (7) is immediate since the collection of vectors in the nullspace of A that assign 
values (1, 0) and (0, 1) to the labels 1 and 2, respectively, is a hyperplane of dimension d — 2, and 
each vector in this hyperplane can be extended to yield at most (p 2 — 1)1 distinct g G ft with 

9 ~y,z /• 

To prove (6), let us define 

H a = {he¥ l \Ah = 0, h[l] = (1, 0), and h[2] = (a, 0)} 

for each a S {2, ... ,p — 1}, and define 

T = {h£¥ l \ h[i] / h[j] for i / j}. 

We will prove that there are at least p — 1 — ( 2 ) values of a for which H a n T contains at least 
p2d-4 _ ^p2d-6 e l em ents. As each h G H a n T may be extended to yield (p 2 — 1)1 distinct g € ft 
with g ^y )Z f i w e will have proved (6). 

Suppose H a n T is nonempty for a G {2, . . . ,p — 1}. Then of course -fT a is nonempty, and is 
therefore a hyperplane of dimension d — 2. We may also conclude that for each pair i ^ j G L, 
the intersection of -ff a with the subspace Jij = {h G F' | /i[i] = h[j]} is properly contained in H a , 

and is therefore a hyperplane of dimension at most d — 3. Since T = F \ ( Ui=^7 «^j ) j there must 



)v£i "1,3), 

therefore be at least p 2 ^ d ~ 2 > — (^P 2 elements in H a n T as required. 
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Thus, it remains to prove that H a n T is nonempty for at least p — 1 — ( 2 ) values of 
a €. {2,. . . ,p — 1}. In order to prove this, define a mapping ip a : Z p x 7h v — ► Z p x Z p for each 
a G {2, ... ,p — 1} as ip a (a,(3) = (a + a/3,0). Let /ij G F' denote the vector corresponding to the 
values assigned to the labels in L by /, and let tp a (hf) denote the vector obtained by applying ip a 
to each entry of hf individually. Following from the fact that each ip a is a homomorphism, we must 
have that (p a (hf) is in the nullspace of A, and therefore (p a (hf) G H a . Write hf[i] = (o^,/3j) for each 
i, and suppose we have f a (hf[i\) = fa(hf\j]) for some pair i ^ j. Then ai+afii = aj+a(3j ( mod p), 
and so a(/3j — /3j) = atj — ai ( mod p). Since /i/[z] / ^/[j] (as / assigns distinct values to each label), 
it is impossible that f3i = (3j, and so a = (/3j — (3j)~ 1 (aj — a,i) (modp). It follows that there are at 
most ( 2 ) nonzero values of a such that ip a (hf) H a n T, which completes the proof. ■ 



Finally, we consider a restricted case of the Group Non- Membership problem where there are 
only two input group elements (i.e., k = 1 in the statement of the GNM problem). 

2-Element Group Non-Membership (2-GNM) 

Instance: Group elements g and h in some group G. 

Question: Is h outside the group generated by g (i.e., is h $. (o))? 

We note that this problem can be solved in BQP for any group oracle B using Shor's algorithm. 

Proposition 4 2-GNM (B) G BQP B for any group oracle B. 

As this problem is not contained in (classical) MA relative to the group oracle B constructed in 
the proof of Theorem 3, we have obtained the relation BQP % MA . 

Corollary 5 There exists an oracle B such that BQP B <2 MA B . 

5 Other problems having succinct quantum proofs 

Quantum certificates for group non-membership may be used in conjunction with classical cer- 
tificates for other group properties to obtain succinct quantum certificates for various problems 
regarding finite groups. A few examples are given in this section. 
Consider the following problems: 

Proper Subgroup 

Instance: Elements g±, ... , <j% and hi, ■ ■ ■ , hi in some group G. 
Question: Is (hi, . . . , hi) a proper subgroup of (gi, . . . , 3fc)? 

Divisor of Order 

Instance: Elements gi, ■ ■ ■ ,gk in some group G and an integer N. 
Question: Does ./V divide the order of (gi, . . . , g&)? 

Simple Group 

Instance: Elements gi, ■ ■ ■ ,gk m some group G. 
Question: Is (gi, ■ ■ ■ ,gk) a simple group? 
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Intersection 

Instance: Elements g\, ... , g^, h±, ... , hi, and a±, . . . ,a% in some group G. 
Question: Is (01, . . . , at) equal to the intersection of {g±, . . . , gk) and (hi, . . . , hi)! 

Centralizer 

Instance: Elements g±, . . . ,g^, h\, . . . ,h[ and a in some group G. 
Question: Is (hi, ... , hi) equal to the centralizer of a in (gi, . . . ,gu)! 

Maximal Normal Subgroup 

Instance: Elements g±, ... , gk and hi, ■ ■ ■ , hi in some group G. 
Question: Is (hi, ... , hi) a maximal normal subgroup of (gi, . . . ,<?/«}? 

The first two problems, Proper Subgroup and Divisor of Order, are in QMA for any group 
oracle B, while neither is in MA for appropriate choice of B. Quantum certificates for these 
problems may be obtained by combining quantum certificates for non-membership with classical 
certificates for other properties. 

In the case of Proper Subgroup this is straightforward: a quantum proof that (hi, ... , hi) is 
properly contained in (gi, . . . , g^) may consist of a classical portion that certifies that each hi may 
be generated from gi, ■ ■ ■ ,gu and identifies an element a € (gi, ■ ■ ■ , gk) that purportedly lies outside 
of (hi, ... , hi), while the quantum portion certifies that a (hi, ... , hi). 

In the case of Divisor of Order, the quantum proof is slightly more complicated: for each prime 
power p dividing N, the quantum proof identifies a tower of p-subgroups 

(hi) < (hi,h 2 ) < ■■■ < (hi,... ,hi) 

of (gi, . . . , gk) having the property hi (hi, . . . , /i«_i) for each i (so that (hi, ... , hi) has order at 
least p l ). The p-subgroup property may be certified classically [10], while each hi (hi, . . . , hi-i) 
may be certified with a quantum proof of non-membership. 

The remaining four problems, Simple Group, Intersection, Centralizer, and Maximal Normal 
Subgroup, are in co-QMA for any group oracle B. For the complements of each of these problems, 
quantum proofs may be obtained from quantum proofs for non-membership along with classical 
proofs for various properties as above. For the case of Simple Group and Maximal Normal Subgroup, 
we rely on the fact that there exist classical certificates for the property of one group being normal 
in another [6]. We leave the details for the reader. 

6 Open Problems 

We conclude by mentioning some open problems relating to quantum proofs and the class QMA. 

• Is Graph Non-Isomorphism in QMA? 

• Is Group Order in QMA? (That is, given group elements gi,... ,gt and an integer N, are 
there succinct quantum proofs for the property N = \(gi, ■ ■ . , <7fc)|?) 

• Is co-NP contained in QMA? Do unexpected consequences result from such a containment? 

• We have claimed that QMA C PP; can a better upper-bound be placed on the power of 
QMA? What other relations among QMA and other classes can be proved? 
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